Abstract

HTTP Origin-Bound Authentication (HOBA) is a design for an HTTP
authentication method with credentials that are not vulnerable to
phishing attacks, and that does not require a server-side password
database. The design can also be used in Javascript-based
authentication embedded in HTML. HOBA is an alternative to HTTP
authentication schemes that require passwords with all the negative
attributes that come with password-based systems. HOBA can be
integrated with account management and other applications running
over HTTP and supports portability, so a user can associate more than
one device or origin-bound key with the same service. We also
describe a way in which the HOBA design can be used from a Javascript
web client. When deployed, HOBA will be a drop-in replacement for
password-based HTTP authentication or JavaScript authentication.